Android Lollipop sucks at security, says researcher

Opaque apps mean you're not clicking what you think you're clicking

Skycure security researcher Yair Amit has revealed a chained Android attack path that will greatly enhance attackers' ability to compromise 1.34 billion devices, or 95 percent of those in use.

The Accessibility Clickjacking attack exploits flaws in protections for Android's accessibility and draw-over-apps features to allow attackers to hijack devices.

The two features are popular in mobile malware, some of which regularly passes Google's security checks to make it on the official Play Store.

Amit's attack is a much more polished and capable demonstration of how those features can be abused to compromise modern and old handsets.

It has been updated since its initial disclosure in March after Amit and colleague Elisha Eshed discovered it applied to updated Android Lollipop version 5 devices, the most popular of all Android platforms, and affected an additional 840 million devices.

It means a covert malicious application could create an opaque overlay image and prompt users to click on specific seemingly-benign areas. Doing so would trigger a process behind the image that would open and activate accessibility settings.

Google tried to fix the flaw by blocking overlays of the accessibility OK button but Amit (@yairamit) has found it can still be clicked.

Many malware instances including a free Black Jack app disclosed today and several malicious games reported this week have used accessibility and draw-over-app features to compromise devices.

Malicious apps deploy Amit's attack flow to varying degrees of effectiveness, with some hoping users would deliberately approve accessibility features after merely reading a request claiming it needs to be activated.

Some applications, notably those security-related and for lost devices, request accessibility, draw-over-app, and root features.

"With this exploit, a hacker could persistently monitor all of a victim’s activity, and read and possibly compose corporate emails and documents via the victim’s device," Amit says.

"This also enables ransomware exploits, where a hacker may elevate their permissions to remotely encrypt or wipe the device, potentially forcing the victim to pay money to get access to their own device.

Amit says the latest Android version, Marshmallow version 6, is "significantly more difficult to exploit" thanks to the need for users to grant individual apps the ability to draw over apps.

Barely anyone operates Marshmallow, however. Android KitKat version 4.4 released three years ago is still used on about a third of devices, just trailing Lollipop, with many perhaps being older and cheap gadgets.

Android handsets everywhere are locked into custom vendor ROMs and as such must hope manufacturers will push through Google's security updates.

Modern phones tend to operate Lollipop and Marshmallow and would be much more lucrative targets for attackers, if it is accepted that the higher device price tag is indicative of a user's bank account.

The devices also sport more processing capabilities which makes the units more useful for mobile botnets. ®